The problem: access control policy management

Policies governing access and use of a resource traditionally have
been expressed via access control lists. In this model, control is
highly centralized: only one person or organization administers and
enforces the access control requirements.

It is not always easy to centralize policy control. An X-ray laser at
a university, for example, hypothetically may have several
stakeholders (parties with authority to grant access to the
resource), each of which brings its own set of concerns:

the principal investigator of the project for which the
laser was built, who needs his team to have full access;

the technician who operates it, who must ensure that no one is
hurt while using it;

the government agency that funded it, which may have
stringent national security or other restrictions;

the university's biological experiments oversight
committee, which has to approve any experiments in which the
laser is used on living creatures.

To change a stakeholder's access control requirements, the access
control enforcer must verify that the change request originated from
an authorized party (i.e., that stakeholder), check that the request
was not altered in transit, and only then make the appropriate
change. Such centralized and essentially manual updating does not
scale well, particularly if the parties are geographically or
organizationally dispersed.

A solution: distributed policy management

To address the issues raised in allowing restricted access to resources
which are controlled by multiple stakeholders, we have developed
Akenti. Akenti provides a way to express and to enforce an
access control policy without requiring a central enforcer and
administrative authority. The system's architecture is intended to
provide scalable security services in highly distributed network
environments.

Goals

Akenti was designed

to achieve the same level of expressiveness of access control
that would be available if a human controller were in the decision
loop, and

to reflect the existing policy (authority, delegation, and
responsibility) present in these environments.

More specifically, Akenti was intended

to allow each stakeholder to enforce its access control
requirements independently of the other stakeholders,

to allow each stakeholder to change its requirements at any
time and to be confident that the new requirements would take
effect immediately, and

to provide high assurance of integrity and non-repudiability
in the expression of the access control requirements.

Akenti access control fundamentals

The resource that Akenti controls may be information,
processing or communication capabilities, or a physical system such as
a scientific instrument. Access can be the ability to obtain
information from the resource (e.g., "read" access;), to
modify the resource (e.g., "write" access), or to cause that
resource to perform certain functions (e.g., changing instrument
control set points).